Security Firm CertiK Detects $5M Security Flaw in Cross-Chain Bridge Wormhole

Security firm CertiK said it has detected and prevented a flaw in the cross-chain bridge Wormhole which could have resulted in $5 million worth of losses.

In a social media post, CertiK said its research team found a critical bug in Wormhole — an incorrect application of the public and entry modifiers exposing the blockchain to potential multimillion-dollar exploits.

In a short video explainer, CertiK runs through how it detected the flaw in the network.  CertiK said this case study not only underscores the critical role of proactive security practices but also celebrates the power of open-source software in raising security and transparency standards across the Web3 world.

Wormhole supports the transfer of tokens and data across different blockchain networks. The crypto project was spun off by Jump Trading Group and is one of the most popular bridges linking the Ethereum and Solana blockchains.

Wormhole Experienced the Largest DeFi Attack in 2022

In 2022, Wormhole lost about $321 million in an exploit. Hackers compromised Wormhole Bridge leading to 120,000 wETH loss from the platform, equivalent to $321 million. It was the largest DeFi attack of 2022 and the hacker swapped wETH tokens with Ethereum, SOL, USDC, APE, SX, etc.

An investigation conducted by pseudonymous researcher Pland, detailed in an X post on April 4th, revealed that the Wormhole team overlooked excluding several wallet addresses associated with the exploit that drained $321 million in crypto from the cross-chain bridge.

Chainalysis said to understand why the 2022 attack was more serious than the average hack, it is important to know how cross-chain bridges work.

“Users interact with cross-chain bridges by sending funds in one asset to the bridge protocol, where those funds are then locked into the contract. The user is then issued equivalent funds of a parallel asset on the chain the protocol bridges to. In the case of Wormhole, users typically send Ether (ETH) to the protocol, where it is held as collateral, and are issued WeETH on Solana, backed by that collateral locked in the Wormhole contract on Ethereum,” — Chainalysis: Lessons from the Wormhole Exploit.

April 2024 saw the lowest combined losses from crypto-related hacks and scams, with CertiK reporting approximately $25.7 million lost to exploits, hacks, and scams.

This latest figure marks the lowest recorded hacks since CertiK began tracking such incidents in 2021, as flash loan attacks and private critical hacks decreased.